sessions: remove legacy user_name / password_hash cookies.

Remove support for logging in with the deprecated user_name / password_hash cookies. Followup to 320ff01e0.
2020-03-25 03:01:43 -05:00
parent 4b1114b4a4
commit 9e455695a1
6 changed files with 1 additions and 62 deletions
--- a/app/controllers/maintenance/user/deletions_controller.rb
+++ b/app/controllers/maintenance/user/deletions_controller.rb
@@ -8,8 +8,6 @@ module Maintenance
        deletion = UserDeletion.new(CurrentUser.user, params[:password])
        deletion.delete!
        session.delete(:user_id)
-        cookies.delete(:password_hash)
-        cookies.delete(:user_name)
        redirect_to(posts_path, :notice => "You are now logged out")
      end
    end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -22,8 +22,6 @@ class SessionsController < ApplicationController

  def destroy
    session.delete(:user_id)
-    cookies.delete(:user_name)
-    cookies.delete(:password_hash)
    redirect_to(posts_path, :notice => "You are now logged out")
  end

--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -1,12 +1,11 @@
 class SessionLoader
  class AuthenticationFailure < StandardError; end

-  attr_reader :session, :cookies, :request, :params
+  attr_reader :session, :request, :params

  def initialize(request)
    @request = request
    @session = request.session
-    @cookies = request.cookie_jar
    @params = request.parameters
  end

@@ -20,8 +19,6 @@ class SessionLoader
      load_param_user(params[:signed_user_id])
    elsif session[:user_id]
      load_session_user
-    elsif cookie_password_hash_valid?
-      load_cookie_user
    end

    set_statement_timeout
@@ -91,15 +88,6 @@ class SessionLoader
    CurrentUser.user = user if user
  end

-  def load_cookie_user
-    CurrentUser.user = User.find_by_name(cookies.signed[:user_name])
-    session[:user_id] = CurrentUser.user.id
-  end
-
-  def cookie_password_hash_valid?
-    cookies[:password_hash] && cookies.signed[:user_name] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies[:password_hash])
-  end
-
  def update_last_logged_in_at
    return if CurrentUser.is_anonymous?
    return if CurrentUser.last_logged_in_at && CurrentUser.last_logged_in_at > 1.week.ago
@@ -124,9 +112,5 @@ class SessionLoader
  def initialize_session_cookies
    session.options[:expire_after] = 20.years
    session[:started_at] ||= Time.now.utc.to_s
-
-    # clear out legacy login cookies if present
-    cookies.delete(:user_name)
-    cookies.delete(:password_hash)
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -165,10 +165,6 @@ class User < ApplicationRecord
      BCrypt::Password.new(bcrypt_password_hash)
    end

-    def bcrypt_cookie_password_hash
-      bcrypt_password_hash.slice(20, 100)
-    end
-
    def password=(new_password)
      @password = new_password
      self.bcrypt_password_hash = User.bcrypt(new_password)
@@ -205,15 +201,6 @@ class User < ApplicationRecord
        end
      end

-      def authenticate_cookie_hash(name, hash)
-        user = find_by_name(name)
-        if user && user.bcrypt_cookie_password_hash == hash
-          user
-        else
-          nil
-        end
-      end
-
      def bcrypt(pass)
        BCrypt::Password.create(sha1(pass))
      end
--- a/test/functional/maintenance/user/api_keys_controller_test.rb
+++ b/test/functional/maintenance/user/api_keys_controller_test.rb
@@ -23,25 +23,6 @@ module Maintenance
              assert_response :success
            end

-            # hard to test this in integrationtest
-            # context "if the user doesn't already have an api key" do
-            #   setup do
-            #     ::User.any_instance.stubs(:api_key).returns(nil)
-            #     cookies[:user_name] = @user.name
-            #     cookies[:password_hash] = @user.bcrypt_cookie_password_hash
-            #   end
-
-            #   should "generate one" do
-            #     ApiKey.expects(:generate!)
-
-            #     assert_difference("ApiKey.count", 1) do
-            #       post view_maintenance_user_api_key_path(user_id: @user.id), params: {user: {password: "password"}}
-            #     end
-
-            #     assert_not_nil(@user.reload.api_key)
-            #   end
-            # end
-
            should "not generate another API key if the user already has one" do
              assert_difference("ApiKey.count", 0) do
                post_auth view_maintenance_user_api_key_path(user_id: @user.id), @user, params: {user: {password: "password"}}
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -151,15 +151,6 @@ class UserTest < ActiveSupport::TestCase
    end

    context "password" do
-      should "match the cookie hash" do
-        @user = FactoryBot.create(:user)
-        @user.password = "zugzug5"
-        @user.password_confirmation = "zugzug5"
-        @user.save
-        @user.reload
-        assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_cookie_password_hash))
-      end
-
      should "match the confirmation" do
        @user = FactoryBot.create(:user)
        @user.old_password = "password"